Wednesday, June 3, 2015

ClamAV 0.99b Meets YARA!

The first beta release of ClamAV 0.99 is now on SourceForge!
ClamAV 0.99 has some important new features to improve malware detection.

First, ClamAV 0.99 supports YARA rules. YARA is another
popular open source project for malware detection, analysis, and classification.
YARA rules, in a nutshell, contain a list of strings and a powerful logical
expression called the YARA condition. A YARA condition is typically composed of
logical operations upon the YARA rule’s strings, with many other condition operators
available as well. YARA strings come in three flavors: literal text strings (with
modifier keywords NOCASE, FULLWORD, WIDE and ASCII), hexadecimal (including
wildcard and alternates, similar to substrings in ClamAV’s logical signatures),
and regular expressions. The full documentation about YARA rules may be found
at http://plusvic.github.io/yara/.

One of the key benefits ClamAV brings to YARA is leveraging ClamAV’s
myriad file decomposition capabilities. This enables YARA rules to automatically
match on malware residing in any of the compression, archive, document, or
packer formats provided by ClamAV.

Using YARA rules with ClamAV is simple - just place your YARA
rule files into the ClamAV virus database location. This is /usr/local/share/clamav
by default. Alternatively, you can place them in other locations and reference
them with the “–database” command line option for clamscan or the clamd.conf “DatabaseDirectory”
parameter if you are using clamd and clamdscan.

Additionally in ClamAV 0.99, we have added regular
expression support to ClamAV’s logical signatures. This will enable signature
authors to more readily reuse regular expression constructs from the Snort rule
collection, thus providing more powerful malware detection for ClamAV.

Regular expressions in both YARA rules and ClamAV logical
signatures require the Perl Compatible Regular Expressions (PCRE) library. Please
ensure PCRE is installed on your system when configuring ClamAV. ClamAV
configuration will automatically look for PCRE in /usr/lib and /usr/local/lib.
If you have PCRE installed in a different location, use ‘./configure –with-pcre=DIR’ to specify the resident PCRE
directory.

There are currently a few limitations of YARA rules within
ClamAV 0.99 beta1, due either to nonexistent ClamAV capabilities or to YARA
features that did not fit well into the ClamAV processing model. We hope to
further evaluate and include as much of this functionality as possible in subsequent
releases. YARA rules using any of the following features will be flagged in
error, and the respective rules will be disabled:

Single byte YARA string components – currently in
the ClamAV matcher, all strings, as well as components of strings delimited by
wild cards, must be at least two bytes in length

External variables – variables referenced in
YARA conditions whose value may be set using the ‘yara –d’ command line option.

Private rules – YARA rules which do not trigger
by themselves. They are intended to match only when referenced by other YARA
rules. These use the private keyword.

Global rules – YARA rules whose conditions are
intended to be in effect for all other YARA rules. These use the global keyword.

Modules – A YARA feature intended to provide modular
extensions to the YARA core. Modules are normally activated using the import keyword.

Rules precompiled with the YARA compiler –
ClamAV only reads YARA rules in the original source form.

Rule tags – intended to provide a results
filtering mechanism by specifying tag names on YARA rules and then using the ‘yara –t’ command to name the matching
rule tags of interest.

References to other rules – intended to use the
results from other YARA rules in a YARA condition.

YARA rules containing only a YARA condition –
YARA rules in ClamAV currently must contain at least one string.